## /etc/merecat.conf                                     -*-conf-unix-*-
## This is a sample configuration file for Merecat httpd
## For more help and more settings, see merecat.conf(5).
##

## what interface to bind to?
## (default is binding to any interface)
hostname = 127.0.0.1

## Port to listen to, overrides command line argument
## Defaults to 80, or 443 when enabling HTTPS
#port = 80

## Unpriviliged user to run as, usually nobody or www-data
username = nobody

## Global .htpasswd (true) or local per-directory (false)
global-passwd = false

## Chrooting is a security measure which means isolating the webserver's
## access to files only available from a the given directory.  To access
## files outside the chroot the administrator can either copy or bind
## mount files and directories into the chroot.
chroot = false

## Only useful if not chrooting
check-symlinks = false

## Alt. charset=iso-8859-1
charset = UTF-8

## Deflate (gzip) compression level: -1 .. 9
## -1: Default (zlib's reasonable default, currently 6)
##  0: Disabled
##  1: Best speed
##  9: Best compression
compression-level = -1

## Webserver document root, or chroot
directory = /var/merecat/www

## When chrooting, alt. document root inside chroot
## => /var/www/htdocs
data-directory = /htdocs

## Skip dotfiles in dirlistings
list-dotfiles = false

## Virtual hosting
## /var/www/cgi-bin/          <-- Shared CGI
## /var/www/git.example.com   <-- git.example.com
## /var/www/ftp.example.com   <-- ftp.example.com
virtual-host = false

## Control the caching, in seconds, by setting the following header for
## all transactions.  Depends heavily on the content you provide, and
## this global setting is disabled by default.  It is recommended to
## instead set it per server location, e.g. for all image files.
##
##    Cache-Control: max-age=SEC
##
## Min max-age value 0 (browser caching disabled)
## Max max-age value 31536000 (1 year)
##
max-age = 3600

## Some bots behave really badly and may overload your server.  Often
## they cannot be blocked based on IP address, so the only means we are
## left with is User-Agent blocking.  Use patterns like this:
user-agent-deny = "**SemrushBot**|**MJ12bot**|**DotBot**|**PetalBot**"

## Enable HTTPS support.  The certificate (public) and key (private) are
## required when enabling HTTPS support.  The (min) protocol and cipher
## settings are optional and have sane built-in defaults, e.g. 'protocol'
## defaults to TLSv1.1.  See ciphers(1) man page for possible values.
##
## Note: You may want to enable this on a per-server basis instead.
#ssl {
#    protocol = "TLSv1.1"
#    ciphers  = "..."
#    certfile = certs/cert.pem
#    keyfile  = private/key.pem
#    dhfile   = certs/dhparam.pem
#}

## The CGI module is a core part of Merecat httpd and is for security
## reasons disabled by default.  Like other modules it uses pattern
## matching to trigger the CGI functionality:
##	?	match a single char
##	*	matches any string excluding "/"
##	**	matches any string including "/"
##	separate multiple patterns with "|"
## Example: "**.sh|**.cgi"
##
## `limit` sets the max number of simultaneous CGI programs allowed.
##
## The below values are the default, so to enable CGI only `enabled`
## need to be set to 'true'.
#cgi "**.cgi|/cgi-bin/*" {
#    enabled = false
#    limit   = 50
#}

## The PHP module is bolted on top of the CGI module, so the same limits
## apply also to PHP scripts.  The below are the built-in defaults.
## Verify the path to the php-cgi binary for your system and expand on
## the pattern if you have, e.g. .php5 files.
php "**.php*" {
    enabled  = true
    cgi-path = "/usr/bin/php-cgi"
}

## The SSI module, like PHP above, is built on top of the CGI module,
## and it also requires the Merecat SSI CGI script to be installed, the
## defaults are commented out below.  The silent setting controls the
## default <!--#config errmsg="..." --> value.
#ssi "**.shtml" {
#    enabled  = false
#    silent   = false
#    cgi-path = "cgi-bin/ssi"
#}

## Server specific settings, overrides certain global settings
## Notice the HTTP redirect from the default server to HTTPS.
server default {
    port = 80
    redirect "/**" {
        code = 301
        location = "https://$host$request_uri$args"
    }
}

server secure {
    port = 443
    ssl {
        certfile = /var/merecat/www/certs/server.pem
        keyfile  = /var/merecat/www/private/server.key
        dhfile   = /var/merecat/www/certs/dhparm.pem
    }
}
